Description of problem:
Formencode 1.0 breaks chained validators which do not use partial validation.
This is an known bug for upstream and was fixed in 1.0.1
Please update python-formencode to 1.0.1 as this will break many applications
which do use chained validators. This may even be a security problem for Fedora
users because the chained validators are never called!
python-formencode-1.0.1-1.fc9 has been submitted as an update for Fedora 9
New package built for F-9 and RawHide. Security team will approve and then it
will be pushed to stable. If necessary, people can retrieve the package from
the "Build link" on this page before the package goes out::
Brief description of the problem for the security response team:
The formencode package allows people to write validators_. Among other
places that these are used is within the TurboGears web framework. Thus, this
bug will affect any TurboGeats applications shipped by Fedora or built on top of
the formencode-1.0 packages shipped with F-9/
In the TurboGears context, validators are used to check that input from a user
is in a form that the application expects. This can consist of transformations
(from a string into an integer, for instance) and checks (making sure that input
is a valid email address, that it only contains alpha numberic ASCii characters,
or that the input specifies a valid value within a database, for instance.)
This particular bug affected a class of validators known as chained validators.
These validators run after the other validators and are capable of checking
that multiple values meet a validity check as opposed to only a single value.
As an example, let's say the user is providing a timestamp, key and log message
to a method add_new_log(). A chained validator might check that the combination
of key and timestamp was not already recorded to avoid overwriting and losing
With the bug in formencode-1.0, the chained validator that checked for this case
would silently fail to run which means that overwriting of data might be possible.
Another scenario. I've written a cgi script that reads certain files from my
home directory and displays them on a web page. Because I'm not a very good
programmer my script takes a directory relative to my home directory and a
filename of information from the user and displays what's in there if the first
line of the file is "PUBLIC". The script has two sets of validators:
The first set checks that the directory will fall within my home directory and
that the filename doesn't contain any special characters like path separators.
The second set is two chained validators that makes sure that "PUBLIC" is the
first line of the file and that the actual file is not a sym link to somewere else.
Because of this bug, not only is any file in the home directory exposed but, if
I have a sym link to a directory somewhere else in the filessytem, any file in
that directory is exposed as well.
python-formencode-1.0.1-1.fc9 has been pushed to the Fedora 9 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
su -c 'yum --enablerepo=updates-testing update python-formencode'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F9/FEDORA-2008-6312
python-formencode-1.0.1-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.